HackDig : Dig high-quality web security articles for hacker

In early August we discussed a case where a backdoor (BKDR_ANDROM.ETIN) was being installed filelessly onto a target system using JS_POWMET.DE, a script that abused various legitimate functions. At the time, we did not know how the threat arrived onto the target machine. We speculated that it was either downloaded by users or dropped by other malware.

We recently learned the exact arrival method of this backdoor. As it turned out, we were wrong: it was neither dropped nor downloaded. Instead, it arrived via USB flash disks.

Technical Details

The USB flash disk contains two malicious files (both detected as TROJ_ANDROM.SVN), which are named:

The disk’s autorun.inf file was likely modified to run the former file, which is capable of decrypting the contents of the latter. These are then loaded into memory and then run. The decryptor’s filename serves as the encryption key in this instance. No file is actually saved onto the affected system.

The decrypted code is responsible for creating the autostart registry entry that served as the starting point for our previous analysis. We won’t recap the entire infection chain here; we’ll instead note that the end result was the installation of a backdoor detected as BKDR_ANDROM.ETIN. None of this changed.

Figure 1. Infection chain

Two things are worth noting here. First, the process differs slightly based on the version of Windows installed. The process is relatively straightforward for Windows 10—the registry entry is created, eventually leading to the download and execution of a backdoor onto the affected system. On earlier versions of Windows, however, there is an additional step: a second backdoor (detected as BKDR_ANDROM.SMRA) is also dropped in the %AppData% folder, with the filename ee{8 random characters}.exe. A shortcut to it is also created in the user startup folder, ensuring that this second backdoor is automatically executed.

One more thing to note is that the URL contained in the created registry entries differs—one URL is used for Windows 10, another for earlier versions of Windows. While we didn’t see any difference in the actual behavior, this could allow for different attacks to be delivered based on the user’s operating system.

It’s unclear why this second backdoor is installed in a manner that is less sophisticated than the other method used by this attack. It could be a diversion: a researcher or user would be able to find this second backdoor much more easily than the first fileless one. Removing this more obvious backdoor might allow the more stealthy fileless threat to remain undetected.

Trend Micro solutions

Trend Micro endpoint solutions such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security all include behavior monitoring to detect fileless malware attacks. This helps organizations look out for malicious behavior that can block the malware before the behavior is executed or performed.